Archive

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Figure 2: Macro downloaders’ prevalence in affected countries

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person's curiosity. With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Figure 2: Macro downloaders’ prevalence in affected countries

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

Figure 1: How the cloud protection and telemetry works from the endpoint and back.